Johan Hovold [Tue, 19 Mar 2013 08:21:15 +0000 (09:21 +0100)]
USB: ftdi_sio: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.
This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.
When switching to tty ports, some lifetime assumptions were changed.
Specifically, close can now be called before the final tty reference is
dropped as part of hangup at device disconnect. Even with the ftdi
private-data refcounting this means that the port private data can be
freed while a process is sleeping on modem-status changes and thus
cannot be relied on to detect disconnects when woken up.
Johan Hovold [Tue, 19 Mar 2013 08:21:09 +0000 (09:21 +0100)]
USB: serial: fix interface refcounting
Make sure the interface is not released before our serial device.
Note that drivers are still not allowed to access the interface in
any way that may interfere with another driver that may have gotten
bound to the same interface after disconnect returns.
Johan Hovold [Tue, 19 Mar 2013 08:21:08 +0000 (09:21 +0100)]
USB: io_ti: fix get_icount for two port adapters
Add missing get_icount field to two-port driver.
The two-port driver was not updated when switching to the new icount
interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the
new icount interface").
Johan Hovold [Tue, 19 Mar 2013 08:21:07 +0000 (09:21 +0100)]
USB: garmin_gps: fix memory leak on disconnect
Remove bogus disconnect test introduced by 95bef012e ("USB: more serial
drivers writing after disconnect") which prevented queued data from
being freed on disconnect.
The possible IO it was supposed to prevent is long gone.
Johan Hovold [Tue, 19 Mar 2013 08:21:06 +0000 (09:21 +0100)]
USB: cdc-acm: fix device unregistration
Unregister tty device in disconnect as is required by the USB stack.
By deferring unregistration to when the last tty reference is dropped,
the parent interface device can get unregistered before the child
resulting in broken hotplug events being generated when the tty is
finally closed:
The driver must deal with tty callbacks after disconnect by checking the
disconnected flag. Specifically, further opens must be prevented and
this is already implemented.
Cc: stable <stable@vger.kernel.org> Cc: Oliver Neukum <oneukum@suse.de> Acked-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Johan Hovold <jhovold@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
acm_probe() ignores errors in tty_port_register_device()
and leaves intfdata pointing to freed memory on alloc_fail7
error path. The patch fixes the both issues.
Found by Linux Driver Verification project (linuxtesting.org).
The Kconfig symbol USB_GADGET_NET2272_DMA was renamed to USB_NET2272_DMA
in commit 193ab2a6070039e7ee2b9b9bebea754a7c52fd1b ("usb: gadget: allow
multiple gadgets to be built"). That commit did not convert the only
occurrence of the corresponding Kconfig macro. Convert that macro now.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Felipe Balbi <balbi@ti.com>
Alan Stern [Wed, 20 Mar 2013 19:07:26 +0000 (15:07 -0400)]
USB: EHCI: fix regression in QH unlinking
This patch (as1670) fixes a regression caused by commit 6402c796d3b4205d3d7296157956c5100a05d7d6 (USB: EHCI: work around
silicon bug in Intel's EHCI controllers). The workaround goes through
two IAA cycles for each QH being unlinked. During the first cycle,
the QH is not added to the async_iaa list (because it isn't fully gone
from the hardware yet), which means that list will be empty.
Unfortunately, I forgot to update the IAA watchdog timer routine. It
thinks that an empty async_iaa list means the timer expiration was an
error, which isn't true any more. This problem didn't show up during
initial testing because the controllers being tested all had working
IAA interrupts. But not all controllers do, and when the watchdog
timer expires, the empty-list check prevents the second IAA cycle from
starting. As a result, URB unlinks never complete. The check needs
to be removed.
Among the symptoms of the regression are processes stuck in D wait
states and hangs during system shutdown.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Stephen Warren <swarren@wwwdotorg.org> Reported-and-tested-by: Sven Joachim <svenjoac@gmx.de> Reported-by: Andreas Bombe <aeb@debian.org> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Truls Bengtsson [Wed, 20 Mar 2013 13:02:25 +0000 (14:02 +0100)]
usb: gadget: f_rndis: Avoid to use ERROR macro if cdev can be null
The udc_irq service runs the isr_tr_complete_handler which in turn
"nukes" the endpoints, including a call to rndis_response_complete,
if appropriate. If the rndis_msg_parser fails here, an error will
be printed using a dev_err call (through the ERROR() macro).
However, if the usb cable was just disconnected the device (cdev)
might not be available and will be null. Since the dev_err macro will
dereference the cdev pointer we get a null pointer exception.
Reviewed-by: Radovan Lekanovic <radovan.lekanovic@sonymobile.com> Signed-off-by: Truls Bengtsson <truls.bengtsson@sonymobile.com> Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
Fabio Estevam [Wed, 20 Mar 2013 13:35:44 +0000 (10:35 -0300)]
usb: ulpi: Define a *otg_ulpi_create no-op
Building a kernel for imx_v4_v5_defconfig with CONFIG_USB_ULPI disabled, results
in the following error:
arch/arm/mach-imx/built-in.o: In function 'pca100_init':
platform-mx2-emma.c:(.init.text+0x6788): undefined reference to 'otg_ulpi_create'
platform-mx2-emma.c:(.init.text+0x682c): undefined reference to 'mxc_ulpi_access_ops'
Fix this by providing a no-op definition of *otg_ulpi_create for the case when
CONFIG_USB_ULPI is not defined.
Acked-by: Igor Grinberg <grinberg@compulab.co.il> Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
This patch fixes an "off-by-one" bug found in 581791f (FunctionFS: enable multiple functions).
During gfs_bind/gfs_unbind the functionfs_bind/functionfs_unbind should be
called for every functionfs instance. With the "i" pre-decremented they
were not called for the zeroth instance.
Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Cc: <stable@vger.kernel.org>
[ balbi@ti.com : added offending commit's subject ]
Alan Stern [Fri, 15 Mar 2013 18:03:17 +0000 (14:03 -0400)]
USB: gadget: net2280: remove leftover driver->unbind call in error pathway
This patch (as1667) removes an incorrect driver->unbind() call from
the net2280 driver. If startup fails, the UDC core takes care of
unbinding the gadget driver automatically; the controller driver
shouldn't do it too.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Felipe Balbi <balbi@ti.com>
Alan Stern [Fri, 15 Mar 2013 18:02:14 +0000 (14:02 -0400)]
usb: gadget: udc-core: fix a regression during gadget driver unbinding
This patch (as1666) fixes a regression in the UDC core. The core
takes care of unbinding gadget drivers, and it does the unbinding
before telling the UDC driver to turn off the controller hardware.
When the call to the udc_stop callback is made, the gadget no longer
has a driver. The callback routine should not be invoked with a
pointer to the old driver; doing so can cause problems (such as
use-after-free accesses in net2280).
This patch should be applied, with appropriate context changes, to all
the stable kernels going back to 3.1.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: <stable@vger.kernel.org> Signed-off-by: Felipe Balbi <balbi@ti.com>
Dmitry Torokhov [Mon, 25 Feb 2013 18:56:01 +0000 (10:56 -0800)]
USB: xhci - fix bit definitions for IMAN register
According to XHCI specification (5.5.2.1) the IP is bit 0 and IE is bit 1
of IMAN register. Previously their definitions were reversed.
Even though there are no ill effects being observed from the swapped
definitions (because IMAN_IP is RW1C and in legacy PCI case we come in
with it already set to 1 so it was clearing itself even though we were
setting IMAN_IE instead of IMAN_IP), we should still correct the values.
This patch should be backported to kernels as old as 2.6.36, that
contain the commit 4e833c0b87a30798e67f06120cecebef6ee9644c "xhci: don't
re-enable IE constantly".
Signed-off-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: stable@vger.kernel.org
usb: musb: gadget: do *unmap_dma_buffer* only for valid DMA addr
musb does not use DMA buffer for ep0 but it uses the same giveback
function *musb_g_giveback* for all endpoints (*musb_g_ep0_giveback* calls
*musb_g_giveback*). So for ep0 case request.dma will be '0'
and will result in kernel OOPS if tried to *unmap_dma_buffer* for requests in
ep0. Fixed it by doing *unmap_dma_buffer* only for valid DMA addr and
checking that musb_ep->dma is valid when unmapping.
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> Signed-off-by: Felipe Balbi <balbi@ti.com>
Alan Stern [Fri, 15 Mar 2013 18:40:26 +0000 (14:40 -0400)]
USB: EHCI: fix regression during bus resume
This patch (as1663) fixes a regression caused by commit 6e0c3339a6f19d748f16091d0a05adeb1e1f822b (USB: EHCI: unlink one async
QH at a time). In order to avoid keeping multiple QHs in an unusable
intermediate state, that commit changed unlink_empty_async() so that
it unlinks only one empty QH at a time.
However, when the EHCI root hub is suspended, _all_ async QHs need to
be unlinked. ehci_bus_suspend() used to do this by calling
unlink_empty_async(), but now this only unlinks one of the QHs, not
all of them.
The symptom is that when the root hub is resumed, USB communications
don't work for some period of time. This is because ehci-hcd doesn't
realize it needs to restart the async schedule; it assumes that
because some QHs are already on the schedule, the schedule must be
running.
The easiest way to fix the problem is add a new function that unlinks
all the async QHs when the root hub is suspended.
This patch should be applied to all kernels that have the 6e0c3339a6f1
commit.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: Adrian Bassett <adrian.bassett@hotmail.co.uk> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hannes Reinecke [Mon, 4 Mar 2013 16:14:43 +0000 (17:14 +0100)]
USB: xhci: correctly enable interrupts
xhci has its own interrupt enabling routine, which will try to
use MSI-X/MSI if present. So the usb core shouldn't try to enable
legacy interrupts; on some machines the xhci legacy IRQ setting
is invalid.
v3: Be careful to not break XHCI_BROKEN_MSI workaround (by trenn)
Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Oliver Neukum <oneukum@suse.de> Cc: Thomas Renninger <trenn@suse.de> Cc: Yinghai Lu <yinghai@kernel.org> Cc: Frederik Himpe <fhimpe@vub.ac.be> Cc: David Haerdeman <david@hardeman.nu> Cc: Alan Stern <stern@rowland.harvard.edu> Acked-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Reviewed-by: Thomas Renninger <trenn@suse.de> Signed-off-by: Hannes Reinecke <hare@suse.de> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephane Eranian [Fri, 15 Mar 2013 13:26:07 +0000 (14:26 +0100)]
perf,x86: fix kernel crash with PEBS/BTS after suspend/resume
This patch fixes a kernel crash when using precise sampling (PEBS)
after a suspend/resume. Turns out the CPU notifier code is not invoked
on CPU0 (BP). Therefore, the DS_AREA (used by PEBS) is not restored properly
by the kernel and keeps it power-on/resume value of 0 causing any PEBS
measurement to crash when running on CPU0.
The workaround is to add a hook in the actual resume code to restore
the DS Area MSR value. It is invoked for all CPUS. So for all but CPU0,
the DS_AREA will be restored twice but this is harmless.
The vm_flags introduced in 6d7825b10dbe ("mm/fremap.c: fix oops on error
path") is supposed to avoid a compiler warning about unitialized
vm_flags without changing the generated code.
However I am concerned that this is going to be very brittle, and fail
with some compiler versions. The failure could be either of:
- compiler could actually load vma->vm_flags before checking for the
!vma condition, thus reintroducing the oops
- compiler could optimize out the !vma check, since the pointer just got
dereferenced shortly before (so the compiler knows it can't be NULL!)
I propose reversing this part of the change and initializing vm_flags to 0
just to avoid the bogus uninitialized use warning.
Signed-off-by: Michel Lespinasse <walken@google.com> Cc: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 14 Mar 2013 21:53:07 +0000 (14:53 -0700)]
Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu
Pull fix for hlist_entry_safe() regression from Paul McKenney:
"This contains a single commit that fixes a regression in
hlist_entry_safe(). This macro references its argument twice, which
can cause NULL-pointer errors. This commit applies a gcc statement
expression, creating a temporary variable to avoid the double
reference. This has been posted to LKML at
https://lkml.org/lkml/2013/3/9/75.
Kudos to CAI Qian, whose testing uncovered this, to Eric Dumazet, who
spotted root cause, and to Li Zefan, who tested this commit."
* 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu:
list: Fix double fetch of pointer in hlist_entry_safe()
list: Fix double fetch of pointer in hlist_entry_safe()
The current version of hlist_entry_safe() fetches the pointer twice,
once to test for NULL and the other to compute the offset back to the
enclosing structure. This is OK for normal lock-based use because in
that case, the pointer cannot change. However, when the pointer is
protected by RCU (as in "rcu_dereference(p)"), then the pointer can
change at any time. This use case can result in the following sequence
of events:
1. CPU 0 invokes hlist_entry_safe(), fetches the RCU-protected
pointer as sees that it is non-NULL.
2. CPU 1 invokes hlist_del_rcu(), deleting the entry that CPU 0
just fetched a pointer to. Because this is the last entry
in the list, the pointer fetched by CPU 0 is now NULL.
3. CPU 0 refetches the pointer, obtains NULL, and then gets a
NULL-pointer crash.
This commit therefore applies gcc's "({ })" statement expression to
create a temporary variable so that the specified pointer is fetched
only once, avoiding the above sequence of events. Please note that
it is the caller's responsibility to use rcu_dereference() as needed.
This allows RCU-protected uses to work correctly without imposing
any additional overhead on the non-RCU case.
Many thanks to Eric Dumazet for spotting root cause!
Reported-by: CAI Qian <caiqian@redhat.com> Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Tested-by: Li Zefan <lizefan@huawei.com>
Linus Torvalds [Thu, 14 Mar 2013 19:11:28 +0000 (12:11 -0700)]
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
Pull ext2, ext3, reiserfs, quota fixes from Jan Kara:
"A fix for regression in ext2, and a format string issue in ext3. The
rest isn't too serious."
* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
ext2: Fix BUG_ON in evict() on inode deletion
reiserfs: Use kstrdup instead of kmalloc/strcpy
ext3: Fix format string issues
quota: add missing use of dq_data_lock in __dquot_initialize
Linus Torvalds [Wed, 13 Mar 2013 22:47:50 +0000 (15:47 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull namespace bugfixes from Eric Biederman:
"This tree includes a partial revert for "fs: Limit sys_mount to only
request filesystem modules." When I added the new style module aliases
to the filesystems I deleted the old ones. A bad move. It turns out
that distributions like Arch linux use module aliases when
constructing ramdisks. Which meant ultimately that an ext3 filesystem
mounted with ext4 would not result in the ext4 module being put into
the ramdisk.
The other change in this tree adds a handful of filesystem module
alias I simply failed to add the first time. Which inconvinienced a
few folks using cifs.
I don't want to inconvinience folks any longer than I have to so here
are these trivial fixes."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
fs: Readd the fs module aliases.
fs: Limit sys_mount to only request filesystem modules. (Part 3)
Tejun Heo [Wed, 13 Mar 2013 21:59:49 +0000 (14:59 -0700)]
idr: idr_alloc() shouldn't trigger lowmem warning when preloaded
GFP_NOIO is often used for idr_alloc() inside preloaded section as the
allocation mask doesn't really matter. If the idr tree needs to be
expanded, idr_alloc() first tries to allocate using the specified
allocation mask and if it fails falls back to the preloaded buffer. This
order prevent non-preloading idr_alloc() users from taking advantage of
preloading ones by using preload buffer without filling it shifting the
burden of allocation to the preload users.
Unfortunately, this allowed/expected-to-fail kmem_cache allocation ends up
generating spurious slab lowmem warning before succeeding the request from
the preload buffer.
This patch makes idr_layer_alloc() add __GFP_NOWARN to the first
kmem_cache attempt and try kmem_cache again w/o __GFP_NOWARN after
allocation from preload_buffer fails so that lowmem warning is generated
if not suppressed by the original @gfp_mask.
Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: David Teigland <teigland@redhat.com> Tested-by: David Teigland <teigland@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Wed, 13 Mar 2013 21:59:48 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in M32R's asm/stat.h
In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).
However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.
The definition of struct stat64 in M32R's asm/stat.h is wrong in this way.
Note that userspace will likely interpret the field order incorrectly as
the big-endian variant on little-endian machines - depending on header
inclusion order.
[!!!] NOTE [!!!] This patch may adversely change the userspace API. It might
be better to fix the ordering of st_blocks and __pad4 in struct stat64.
Signed-off-by: David Howells <dhowells@redhat.com> Cc: Hirokazu Takata <takata@linux-m32r.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Wed, 13 Mar 2013 21:59:47 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/raid/md_p.h
In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).
However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.
The definition of struct mdp_superblock_s in linux/raid/md_p.h is wrong in
this way. Note that userspace will likely interpret the ordering of the
fields incorrectly as the big-endian variant on a little-endian machines -
depending on header inclusion order.
[!!!] NOTE [!!!] This patch may adversely change the userspace API. It might
be better to fix the ordering of events_hi, events_lo, cp_events_hi and
cp_events_lo in struct mdp_superblock_s / typedef mdp_super_t.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: NeilBrown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Wed, 13 Mar 2013 21:59:46 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/acct.h
In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).
However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.
The definition of ACCT_BYTEORDER in linux/acct.h is wrong in this way.
Note that userspace will likely interpret this incorrectly as the
big-endian variant on little-endian machines - depending on header
inclusion order.
[!!!] NOTE [!!!] This patch may adversely change the userspace API. It might
be better to fix the value of ACCT_BYTEORDER.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
David Howells [Wed, 13 Mar 2013 21:59:45 +0000 (14:59 -0700)]
UAPI: fix endianness conditionals in linux/aio_abi.h
In the UAPI header files, __BIG_ENDIAN and __LITTLE_ENDIAN must be
compared against __BYTE_ORDER in preprocessor conditionals where these are
exposed to userspace (that is they're not inside __KERNEL__ conditionals).
However, in the main kernel the norm is to check for
"defined(__XXX_ENDIAN)" rather than comparing against __BYTE_ORDER and
this has incorrectly leaked into the userspace headers.
The definition of PADDED() in linux/aio_abi.h is wrong in this way. Note
that userspace will likely interpret this and thus the order of fields in
struct iocb incorrectly as the little-endian variant on big-endian
machines - depending on header inclusion order.
[!!!] NOTE [!!!] This patch may adversely change the userspace API. It might
be better to fix the ordering of aio_key and aio_reserved1 in struct iocb.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Acked-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tejun Heo [Wed, 13 Mar 2013 21:59:42 +0000 (14:59 -0700)]
idr: deprecate idr_pre_get() and idr_get_new[_above]()
Now that all in-kernel users are converted to ues the new alloc
interface, mark the old interface deprecated. We should be able to
remove these in a few releases.
Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tejun Heo [Wed, 13 Mar 2013 21:59:41 +0000 (14:59 -0700)]
tidspbridge: convert to idr_alloc()
idr_get_new*() and friends are about to be deprecated. Convert to the
new idr_alloc() interface.
There are some peculiarities and possible bugs in the converted
functions. This patch preserves those.
* drv_insert_node_res_element() returns -ENOMEM on alloc failure,
-EFAULT if id space is exhausted. -EFAULT is at best misleading.
* drv_proc_insert_strm_res_element() is even weirder. It returns
-EFAULT if kzalloc() fails, -ENOMEM if idr preloading fails and
-EPERM if id space is exhausted. What's going on here?
* drv_proc_insert_strm_res_element() doesn't free *pstrm_res after
failure.
Tejun Heo [Wed, 13 Mar 2013 21:59:39 +0000 (14:59 -0700)]
mlx4: remove leftover idr_pre_get() call
Commit 6a9200603d76 ("IB/mlx4: convert to idr_alloc()") forgot to remove
idr_pre_get() call in mlx4_ib_cm_paravirt_init(). It's unnecessary and
idr_pre_get() will soon be deprecated. Remove it.
Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Jack Morgenstein <jackm@dev.mellanox.co.il> Cc: Or Gerlitz <ogerlitz@mellanox.com> Cc: Roland Dreier <roland@purestorage.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tejun Heo [Wed, 13 Mar 2013 21:59:37 +0000 (14:59 -0700)]
nfsd: convert to idr_alloc()
idr_get_new*() and friends are about to be deprecated. Convert to the
new idr_alloc() interface.
Only compile-tested.
Signed-off-by: Tejun Heo <tj@kernel.org> Acked-by: J. Bruce Fields <bfields@redhat.com> Tested-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kees Cook [Wed, 13 Mar 2013 21:59:33 +0000 (14:59 -0700)]
signal: always clear sa_restorer on execve
When the new signal handlers are set up, the location of sa_restorer is
not cleared, leaking a parent process's address space location to
children. This allows for a potential bypass of the parent's ASLR by
examining the sa_restorer value returned when calling sigaction().
Based on what should be considered "secret" about addresses, it only
matters across the exec not the fork (since the VMAs haven't changed
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
this is where it should be fixed.
Given the few uses of sa_restorer, a "set" function was not written
since this would be the only use. Instead, we use
__ARCH_HAS_SA_RESTORER, as already done in other places.
Toshi Kani [Wed, 13 Mar 2013 21:59:31 +0000 (14:59 -0700)]
mm: remove_memory(): fix end_pfn setting
remove_memory() calls walk_memory_range() with [start_pfn, end_pfn), where
end_pfn is exclusive in this range. Therefore, end_pfn needs to be set to
the next page of the end address.
Andrew Morton [Wed, 13 Mar 2013 21:59:30 +0000 (14:59 -0700)]
include/linux/res_counter.h needs errno.h
alpha allmodconfig:
In file included from mm/memcontrol.c:28:
include/linux/res_counter.h: In function 'res_counter_set_limit':
include/linux/res_counter.h:203: error: 'EBUSY' undeclared (first use in this function)
include/linux/res_counter.h:203: error: (Each undeclared identifier is reported only once
include/linux/res_counter.h:203: error: for each function it appears in.)
Linus Torvalds [Wed, 13 Mar 2013 22:03:48 +0000 (15:03 -0700)]
Merge tag 'usb-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg Kroah-Hartman:
"Here are a number of tiny USB fixes and new USB device ids for your
3.9 tree.
The "largest" one here is a revert of a usb-storage patch that turned
out to be incorrect, breaking existing users, which is never a good
thing. Everything else is pretty simple and small"
* tag 'usb-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (43 commits)
USB: quatech2: only write to the tty if the port is open.
qcserial: bind to DM/DIAG port on Gobi 1K devices
USB: cdc-wdm: fix buffer overflow
usb: serial: Add Rigblaster Advantage to device table
qcaux: add Franklin U600
usb: musb: core: fix possible build error with randconfig
usb: cp210x new Vendor/Device IDs
usb: gadget: pxa25x: fix disconnect reporting
usb: dwc3: ep0: fix sparc64 build
usb: c67x00 RetryCnt value in c67x00 TD should be 3
usb: Correction to c67x00 TD data length mask
usb: Makefile: fix drivers/usb/phy/ Makefile entry
USB: added support for Cinterion's products AH6 and PLS8
usb: gadget: fix omap_udc build errors
USB: storage: fix Huawei mode switching regression
USB: storage: in-kernel modeswitching is deprecated
tools: usb: ffs-test: Fix build failure
USB: option: add Huawei E5331
usb: musb: omap2430: fix sparse warning
usb: musb: omap2430: fix omap_musb_mailbox glue check again
...
Linus Torvalds [Wed, 13 Mar 2013 22:02:02 +0000 (15:02 -0700)]
Merge tag 'tty-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg Kroah-Hartman:
"Here are some tty/serial driver fixes for 3.9
We finally mute the annoying WARN_ON that lots of people are hitting
and it turns out isn't needed anymore. Also add a few new device ids
and a some other minor fixes."
* tag 'tty-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: serial: fix typo "SERIAL_S3C2412"
serial: 8250: Keep 8250.<xxxx> module options functional after driver rename
tty: serial: fix typo "ARCH_S5P6450"
tty/8250_pnp: serial port detection regression since v3.7
serial: bcm63xx_uart: fix compilation after "TTY: switch tty_insert_flip_char"
serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller
Fix 4 port and add support for 8 port 'Unknown' PCI serial port cards
tty/serial: Add support for Altera serial port
tty: serial: vt8500: Unneccessary duplicated clock code removed
tty: serial: mpc5xxx: fix PSC clock name bug
TTY: disable debugging warning
Linus Torvalds [Wed, 13 Mar 2013 22:01:08 +0000 (15:01 -0700)]
Merge tag 'staging-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging tree fixes from Greg Kroah-Hartman:
"Here are some drivers/staging and drivers/iio fixes for 3.9 (the two
are still pretty intertwined, hence them coming both from my tree
still.) Nothing major, just a few things that have been reported by
users, all of these have been in linux-next for a while."
* tag 'staging-3.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: comedi: dt9812: use CR_CHAN() for channel number
staging/vt6656: Fix too large integer constant warning on 32-bit
staging: comedi: drivers: usbduxsigma.c: fix DMA buffers on stack
staging: imx/drm: request irq only after adding the crtc
staging: comedi: drivers: usbduxfast.c: fix for DMA buffers on stack
staging: comedi: drivers: usbdux.c: fix DMA buffers on stack
staging: vt6656: Fix oops on resume from suspend.
iio:common:st_sensors fixed all warning messages about uninitialized variables
iio: Fix build error seen if IIO_TRIGGER is defined but IIO_BUFFER is not
iio/imu: inv_mpu6050 depends on IIO_BUFFER
iio:ad5064: Initialize register cache correctly
iio:ad5064: Fix off by one in DAC value range check
iio:ad5064: Fix address of the second channel for ad5065/ad5045/ad5025
Don't allowing sharing the root directory with processes in a
different user namespace. There doesn't seem to be any point, and to
allow it would require the overhead of putting a user namespace
reference in fs_struct (for permission checks) and incrementing that
reference count on practically every call to fork.
So just perform the inexpensive test of forbidding sharing fs_struct
acrosss processes in different user namespaces. We already disallow
other forms of threading when unsharing a user namespace so this
should be no real burden in practice.
This updates setns, clone, and unshare to disallow multiple user
namespaces sharing an fs_struct.
Bill Pemberton [Wed, 13 Mar 2013 13:50:15 +0000 (09:50 -0400)]
USB: quatech2: only write to the tty if the port is open.
The commit 2e124b4a390ca85325fae75764bef92f0547fa25 removed the checks
that prevented qt2_process_read_urb() from trying to put chars into
ttys that weren't actually opened. This resulted in 'tty is NULL'
warnings from flush_to_ldisc() when the device was used.
The devices use just one read urb for all ports. As a result
qt2_process_read_urb() may be called with the current port set to a
port number that has not been opened. Add a check if the port is open
before calling tty_flip_buffer_push().
Signed-off-by: Bill Pemberton <wfp5p@virginia.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Wed, 13 Mar 2013 11:57:08 +0000 (12:57 +0100)]
ext2: Fix BUG_ON in evict() on inode deletion
Commit 8e3dffc6 introduced a regression where deleting inode with
large extended attributes leads to triggering
BUG_ON(inode->i_state != (I_FREEING | I_CLEAR))
in fs/inode.c:evict(). That happens because freeing of xattr block
dirtied the inode and it happened after clear_inode() has been called.
Fix the issue by moving removal of xattr block into ext2_evict_inode()
before clear_inode() call close to a place where data blocks are
truncated. That is also more logical place and removes surprising
requirement that ext2_free_blocks() mustn't dirty the inode.
Reported-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Jan Kara <jack@suse.cz>
Randy Dunlap [Mon, 4 Mar 2013 22:32:59 +0000 (14:32 -0800)]
signals: fix new kernel-doc warnings
Fix new kernel-doc warnings in kernel/signal.c:
Warning(kernel/signal.c:2689): No description found for parameter 'uset'
Warning(kernel/signal.c:2689): Excess function parameter 'set' description in 'sys_rt_sigpending'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Randy Dunlap [Mon, 4 Mar 2013 22:32:54 +0000 (14:32 -0800)]
idr: fix new kernel-doc warnings
Fix new kernel-doc warnings in idr:
Warning(include/linux/idr.h:113): No description found for parameter 'idr'
Warning(include/linux/idr.h:113): Excess function parameter 'idp' description in 'idr_find'
Warning(lib/idr.c:232): Excess function parameter 'id' description in 'sub_alloc'
Warning(lib/idr.c:232): Excess function parameter 'id' description in 'sub_alloc'
Linus Torvalds [Wed, 13 Mar 2013 03:25:53 +0000 (20:25 -0700)]
Merge tag 'stable/for-linus-3.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
Pull Xen fixes from Konrad Rzeszutek Wilk:
- Compile warnings and errors (one on x86, two on ARM)
- WARNING in xen-pciback
- Use the acpi_processor_get_performance_info instead of the 'register'
version
* tag 'stable/for-linus-3.9-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen/acpi: remove redundant acpi/acpi_drivers.h include
xen: arm: mandate EABI and use generic atomic operations.
acpi: Export the acpi_processor_get_performance_info
xen/pciback: Don't disable a PCI device that is already disabled.
I had assumed that the only use of module aliases for filesystems
prior to "fs: Limit sys_mount to only request filesystem modules."
was in request_module. It turns out I was wrong. At least mkinitcpio
in Arch linux uses these aliases.
So readd the preexising aliases, to keep from breaking userspace.
Userspace eventually will have to follow and use the same aliases the
kernel does. So at some point we may be delete these aliases without
problems. However that day is not today.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Oliver Neukum [Tue, 12 Mar 2013 13:52:42 +0000 (14:52 +0100)]
USB: cdc-wdm: fix buffer overflow
The buffer for responses must not overflow.
If this would happen, set a flag, drop the data and return
an error after user space has read all remaining data.
Signed-off-by: Oliver Neukum <oliver@neukum.org> CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In commit 887cbce0adea ("arch Kconfig: centralise ARCH_NO_VIRT_TO_BUS")
I introduced the config sybmol HAVE_VIRT_TO_BUS and selected that where
needed. I am not sure what I was thinking. Instead, just directly
select VIRT_TO_BUS where it is needed.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys
Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to
compat_process_vm_rw() shows that the compatibility code requires an
explicit "access_ok()" check before calling
compat_rw_copy_check_uvector(). The same difference seems to appear when
we compare fs/read_write.c:do_readv_writev() to
fs/compat.c:compat_do_readv_writev().
This subtle difference between the compat and non-compat requirements
should probably be debated, as it seems to be error-prone. In fact,
there are two others sites that use this function in the Linux kernel,
and they both seem to get it wrong:
Now shifting our attention to fs/aio.c, we see that aio_setup_iocb()
also ends up calling compat_rw_copy_check_uvector() through
aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to
be missing. Same situation for
security/keys/compat.c:compat_keyctl_instantiate_key_iov().
I propose that we add the access_ok() check directly into
compat_rw_copy_check_uvector(), so callers don't have to worry about it,
and it therefore makes the compat call code similar to its non-compat
counterpart. Place the access_ok() check in the same location where
copy_from_user() can trigger a -EFAULT error in the non-compat code, so
the ABI behaviors are alike on both compat and non-compat.
While we are here, fix compat_do_readv_writev() so it checks for
compat_rw_copy_check_uvector() negative return values.
And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error
handling.
Linus Torvalds [Tue, 12 Mar 2013 17:37:14 +0000 (10:37 -0700)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm nouveau fixes from Dave Airlie:
"This is just nouveau fixes from Ben, one fixes a nasty oops that some
Fedora people have been seeing, so I'd like to get it out of the way."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/nv50: use correct tiling methods for m2mf buffer moves
drm/nouveau: idle channel before releasing notify object
drm/nouveau: fix regression in vblanking
drm/nv50: encoder creation failure doesn't mean full init failure
Linus Torvalds [Tue, 12 Mar 2013 17:21:38 +0000 (10:21 -0700)]
Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"These bug fixes are for the largest part for mvebu/kirkwood, which saw
a few regressions after the clock infrastructure was enabled, and for
OMAP, which showed a few more preexisting bugs with the new
multiplatform support.
Other small fixes are for imx, mxs, tegra, spear and socfpga"
* tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits)
ARM: spear3xx: Use correct pl080 header file
Arm: socfpga: pl330: Add #dma-cells for generic dma binding support
ARM: multiplatform: Sort the max gpio numbers.
ARM: imx: fix typo "DEBUG_IMX50_IMX53_UART"
ARM: imx: pll1_sys should be an initial on clk
arm: mach-orion5x: fix typo in compatible string of a .dts file
arm: mvebu: fix address-cells in mpic DT node
arm: plat-orion: fix address decoding when > 4GB is used
arm: mvebu: Reduce reg-io-width with UARTs
ARM: Dove: add RTC device node
arm: mvebu: enable the USB ports on Armada 370 Reference Design board
ARM: dove: drop "select COMMON_CLK_DOVE"
rtc: rtc-mv: Add support for clk to avoid lockups
gpio: mvebu: Add clk support to prevent lockup
ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency
ARM: mxs: cfa10049: Fix fb initialisation function
ARM: SPEAr13xx: Fix typo "ARCH_HAVE_CPUFREQ"
ARM: OMAP: RX-51: add missing USB phy binding
clk: Tegra: Remove duplicate smp_twd clock
...
Linus Torvalds [Tue, 12 Mar 2013 17:20:15 +0000 (10:20 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Pull m68knommu fixes from Greg Ungerer:
"It contains a few small fixes for the non-MMU m68k platforms. Fixes
some compilation problems, some broken header definitions, removes an
unused config option and adds a name for the old 68000 CPU support."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
m68k: drop "select EMAC_INC"
m68knommu: fix misnamed GPIO pin definition for ColdFire 528x CPU
m68knommu: fix MC68328.h defines
m68knommu: fix build when CPU is not coldfire
m68knommu: add CPU_NAME for 68000
Linus Torvalds [Tue, 12 Mar 2013 16:20:58 +0000 (09:20 -0700)]
Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux
Pull nfsd bugfixes from Bruce Fields:
"Some minor fallout from the user-namespace work broke most krb5 mounts
to nfsd, and I screwed up a change to the AF_LOCAL rpc code."
* 'for-3.9' of git://linux-nfs.org/~bfields/linux:
sunrpc: don't attempt to cancel unitialized work
nfsd: fix krb5 handling of anonymous principals
Steve Conklin [Thu, 7 Mar 2013 23:19:33 +0000 (17:19 -0600)]
usb: serial: Add Rigblaster Advantage to device table
The Rigblaster Advantage is an amateur radio interface sold by West Mountain
Radio. It contains a cp210x serial interface but the device ID is not in
the driver.
Paul Bolle [Tue, 12 Mar 2013 09:10:32 +0000 (10:10 +0100)]
tty: serial: fix typo "SERIAL_S3C2412"
The Kconfig symbol SERIAL_S3C2412 got removed in commit da121506eb03ee5daea55404709110b798bd61d9 ("serial: samsung: merge
probe() function from all SoC specific extensions"). But it also added a
last reference to that symbol. The commit and the tree make clear that
CPU_S3C2412 should have been used instead.
Josh Boyer [Sun, 10 Mar 2013 14:33:40 +0000 (10:33 -0400)]
serial: 8250: Keep 8250.<xxxx> module options functional after driver rename
With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the
8250 driver was renamed to 8250_core. This means any existing usage of
the 8259.<xxxx> module parameters or as a kernel command line switch is
now broken, as the 8250_core driver doesn't parse options belonging to
something called "8250".
To solve this, we redefine the module options in a dummy function using
a redefined MODULE_PARAM_PREFX when built into the kernel. In the case
where we're building as a module, we provide an alias to the old 8250
name. The dummy function prevents compiler errors due to global variable
redefinitions that happen as part of the module_param_ macro expansions.
Paul Bolle [Sat, 9 Mar 2013 22:16:44 +0000 (23:16 +0100)]
tty: serial: fix typo "ARCH_S5P6450"
This could have been either ARCH_S5P64X0 or CPU_S5P6450. Looking at
commit 2555e663b367b8d555e76023f4de3f6338c28d6c ("ARM: S5P64X0: Add UART
serial support for S5P6450") - which added this typo - makes clear this
should be CPU_S5P6450.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Acked-by: Kukjin Kim <kgene.kim@samsung.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sean Young [Fri, 22 Feb 2013 16:27:19 +0000 (16:27 +0000)]
tty/8250_pnp: serial port detection regression since v3.7
The InsydeH2O BIOS (version dated 09/12/2011) has the following in
its pnp resouces for its serial ports:
$ cat /sys/bus/pnp/devices/00:0b/resources
state = active
io disabled
irq disabled
We do not check if the resources are disabled, and create a bogus
ttyS* device. Since commit 835d844d1a28e (8250_pnp: do pnp probe
before legacy probe) we get a bogus ttyS0, which prevents the legacy
probe from detecting it.
Note, the BIOS can also be upgraded, fixing this problem, but for people
who can't do that, this fix is needed.
Reported-by: Vincent Deffontaines <vincent@gryzor.com> Tested-by: Vincent Deffontaines <vincent@gryzor.com> Signed-off-by: Sean Young <sean@mess.org> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jonas Gorski [Sun, 24 Feb 2013 13:08:39 +0000 (14:08 +0100)]
serial: bcm63xx_uart: fix compilation after "TTY: switch tty_insert_flip_char"
92a19f9cec9a80ad93c06e115822deb729e2c6ad introduced a local variable
with the same name as the argument to bcm_uart_do_rx, breaking
compilation. Fix this by renaming the new variable and its uses where
expected.
Looking back at that thread there were two issues in the original patch.
1) The I/O ports for the UARTs are within BAR2 not BAR0. This can been seen in the original post.
2) A serial quirk isn't needed as these cards have no memory in BAR0 which makes pci_plx9050_init just return.
This patch fixes the 4 port support to use BAR2, removes the bogus quirk and adds support for the 8 port card.
$ lspci -vvv -n -s 00:08.0
00:08.0 0780: 10b5:9050 (rev 01)
Subsystem: 10b5:1588
Control: I/O+ Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 17
Region 1: I/O ports at ff00 [size=128]
Region 2: I/O ports at fe00 [size=64]
Region 3: I/O ports at fd00 [size=8]
Capabilities: <access denied>
Kernel driver in use: serial
$ dmesg | grep 0000:00:08.0:
[ 0.083320] pci 0000:00:08.0: [10b5:9050] type 0 class 0x000780
[ 0.083355] pci 0000:00:08.0: reg 14: [io 0xff00-0xff7f]
[ 0.083369] pci 0000:00:08.0: reg 18: [io 0xfe00-0xfe3f]
[ 0.083382] pci 0000:00:08.0: reg 1c: [io 0xfd00-0xfd07]
[ 0.083460] pci 0000:00:08.0: PME# supported from D0 D3hot
[ 1.212867] 0000:00:08.0: ttyS4 at I/O 0xfe00 (irq = 17) is a 16550A
[ 1.233073] 0000:00:08.0: ttyS5 at I/O 0xfe08 (irq = 17) is a 16550A
[ 1.253270] 0000:00:08.0: ttyS6 at I/O 0xfe10 (irq = 17) is a 16550A
[ 1.273468] 0000:00:08.0: ttyS7 at I/O 0xfe18 (irq = 17) is a 16550A
[ 1.293666] 0000:00:08.0: ttyS8 at I/O 0xfe20 (irq = 17) is a 16550A
[ 1.313863] 0000:00:08.0: ttyS9 at I/O 0xfe28 (irq = 17) is a 16550A
[ 1.334061] 0000:00:08.0: ttyS10 at I/O 0xfe30 (irq = 17) is a 16550A
[ 1.354258] 0000:00:08.0: ttyS11 at I/O 0xfe38 (irq = 17) is a 16550A
mpc512x platform clock code names PSC clocks as "pscX_mclk" but
the driver tries to get "pscX_clk" clock and this results in
errors like:
mpc52xx-psc-uart 80011700.psc: Failed to get PSC clock entry!
The problem appears when opening ttyPSC devices other than the
system's serial console. Since getting and enabling the PSC clock
fails, uart port startup doesn't succeed and tty flag TTY_IO_ERROR
remains set causing further errors in tty ioctls, i.e.
'strace stty -F /dev/ttyPSC1' shows:
Al Viro [Tue, 12 Mar 2013 02:59:49 +0000 (02:59 +0000)]
vfs: fix pipe counter breakage
If you open a pipe for neither read nor write, the pipe code will not
add any usage counters to the pipe, causing the 'struct pipe_inode_info"
to be potentially released early.
That doesn't normally matter, since you cannot actually use the pipe,
but the pipe release code - particularly fasync handling - still expects
the actual pipe infrastructure to all be there. And rather than adding
NULL pointer checks, let's just disallow this case, the same way we
already do for the named pipe ("fifo") case.
This is ancient going back to pre-2.4 days, and until trinity, nobody
naver noticed.
Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Arnd Bergmann [Fri, 1 Mar 2013 23:10:30 +0000 (00:10 +0100)]
ARM: spear3xx: Use correct pl080 header file
The definitions have move around recently, causing build errors
in spear3xx for all configurations:
spear3xx.c:47:5: error: 'PL080_BSIZE_16' undeclared here (not in a function)
spear3xx.c:47:23: error: 'PL080_CONTROL_SB_SIZE_SHIFT' undeclared here (not in a function)
spear3xx.c:48:22: error: 'PL080_CONTROL_DB_SIZE_SHIFT' undeclared here (not in a function)
David Howells [Tue, 12 Mar 2013 05:44:31 +0000 (16:44 +1100)]
keys: fix race with concurrent install_user_keyrings()
This fixes CVE-2013-1792.
There is a race in install_user_keyrings() that can cause a NULL pointer
dereference when called concurrently for the same user if the uid and
uid-session keyrings are not yet created. It might be possible for an
unprivileged user to trigger this by calling keyctl() from userspace in
parallel immediately after logging in.
Assume that we have two threads both executing lookup_user_key(), both
looking for KEY_SPEC_USER_SESSION_KEYRING.
THREAD A THREAD B
=============================== ===============================
==>call install_user_keyrings();
if (!cred->user->session_keyring)
==>call install_user_keyrings()
...
user->uid_keyring = uid_keyring;
if (user->uid_keyring)
return 0;
<==
key = cred->user->session_keyring [== NULL]
user->session_keyring = session_keyring;
atomic_inc(&key->usage); [oops]
At the point thread A dereferences cred->user->session_keyring, thread B
hasn't updated user->session_keyring yet, but thread A assumes it is
populated because install_user_keyrings() returned ok.
The race window is really small but can be exploited if, for example,
thread B is interrupted or preempted after initializing uid_keyring, but
before doing setting session_keyring.
This couldn't be reproduced on a stock kernel. However, after placing
systemtap probe on 'user->session_keyring = session_keyring;' that
introduced some delay, the kernel could be crashed reliably.
Fix this by checking both pointers before deciding whether to return.
Alternatively, the test could be done away with entirely as it is checked
inside the mutex - but since the mutex is global, that may not be the best
way.
Signed-off-by: David Howells <dhowells@redhat.com> Reported-by: Mateusz Guzik <mguzik@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
Sage Weil [Wed, 6 Mar 2013 22:57:03 +0000 (14:57 -0800)]
libceph: fix decoding of pgids
In 4f6a7e5ee1393ec4b243b39dac9f36992d161540 we effectively dropped support
for the legacy encoding for the OSDMap and incremental. However, we didn't
fix the decoding for the pgid.
Signed-off-by: Sage Weil <sage@inktank.com> Reviewed-by: Yehuda Sadeh <yehuda@inktank.com>
ext3_msg() takes the printk prefix as the second parameter and the
format string as the third parameter. Two callers of ext3_msg omit the
prefix and pass the format string as the second parameter and the first
parameter to the format string as the third parameter. In both cases
this string comes from an arbitrary source. Which means the string may
contain format string characters, which will
lead to undefined and potentially harmful behavior.
The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
in ext3") and is fixed by this patch.
CC: stable@vger.kernel.org Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jan Kara <jack@suse.cz>
Jeff Mahoney [Wed, 27 Feb 2013 19:43:09 +0000 (14:43 -0500)]
quota: add missing use of dq_data_lock in __dquot_initialize
The bulk of __dquot_initialize runs under the dqptr_sem which
protects the inode->i_dquot pointers. It doesn't protect the
dereferenced contents, though. Those are protected by the
dq_data_lock, which is missing around the dquot_resv_space call.
Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Jan Kara <jack@suse.cz>
Arm: socfpga: pl330: Add #dma-cells for generic dma binding support
This patch adds #dma-cells property to PL330 DMA controller nodes for
supporting generic dma dt bindings on SOCFPGA platform. #dma-channels
and #dma-requests are not required now but added in advance.
Signed-off-by: Padmavathi Venna <padma.v@samsung.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Arnd Bergmann [Mon, 11 Mar 2013 20:55:40 +0000 (21:55 +0100)]
Merge tag 'mvebu_fixes_for_v3.9' of git://git.infradead.org/users/jcooper/linux into fixes
mvebu fixes for v3.9 from Jason Cooper <jason@lakedaemon.net>:
The first four patches:
89c58c1 rtc: rtc-mv: Add support for clk to avoid lockups de88747 gpio: mvebu: Add clk support to prevent lockup 7bf5b40 ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels 93fff4c ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency
are Cc'd to stable since they were held over from the previous merge window.
The rest are a small collection of fixes and a couple of devicetree conversion
catchups.
* tag 'mvebu_fixes_for_v3.9' of git://git.infradead.org/users/jcooper/linux:
arm: mach-orion5x: fix typo in compatible string of a .dts file
arm: mvebu: fix address-cells in mpic DT node
arm: plat-orion: fix address decoding when > 4GB is used
arm: mvebu: Reduce reg-io-width with UARTs
ARM: Dove: add RTC device node
arm: mvebu: enable the USB ports on Armada 370 Reference Design board
ARM: dove: drop "select COMMON_CLK_DOVE"
rtc: rtc-mv: Add support for clk to avoid lockups
gpio: mvebu: Add clk support to prevent lockup
ARM: kirkwood: fix to retain gbe MAC addresses for DT kernels
ARM: kirkwood: of_serial: fix clock gating by removing clock-frequency